Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Examining the Impact of Website Take-down on
Phishing
Tyler Moore and Richard Clayton
University of Cambridge
Computer Laboratory
APWG eCrime Researchers SummitOct. 4, 2007, Pittsburgh, PA, USA
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Outline
1 Mechanics of phishing
2 Rock-phish attacks
3 Who’s winning the phishing arm’s race?
4 Comparing performance of defenders
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Outline
1 The mechanics of phishing
2 Rock-phish attacks
3 Who’s winning the phishing arm’s race?
4 Comparing performance of defenders
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Technical requirements for phishing attacks
Attackers send out spam impersonating banks with link tofake website
Hosting options for fake website
Free webspace(http://www.bankname.freespacesitename.com/signin/)Compromised machine(http://www.example.com/∼user/images/www.bankname.com/)Registered domain (bankname-variant.com) which thenpoints to free webspace or compromised machine
Personal detail recovery
Completed forms forwarded to a webmail addressStored in a text file on the spoof website
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Defending against phishing attacks
Proactive measures
Web browser mechanisms to detect fake sites, multi-factorauthentication procedures, restricted top-level domains, etc.Not the focus of this paper
Reactive measures
Banks tally phishing URLsReported phishing URLs are added to a blacklist, which isdisseminated via anti-phishing toolbarsBanks send take-down requests to the free webspace operatoror ISP of compromised machineIf a malicious domain has been registered, banks ask thedomain name registrar to suspend the offending domain
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Data collection methodology
Phishing website availability
Several organizations collate phishing reports; we selectedreports from PhishTankPhishTank DB records phishing URLs and relies on volunteersto confirm whether a site is wicked33 710 PhishTank reports overs 8 weeks early 2007Unfortunately, PhishTank does not indicate exactly when sitesare removed and is regularly misled when sites are notdisabled, but rather replaced with generic pagesWe constructed our own testing system to continuously querysites until they stop responding or change
Caveats to our data collection
Sites removed before appearing in PhishTank are ignoredWe do not follow web-page redirectors
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Outline
1 The mechanics of phishing
2 Rock-phish attacks
3 Who’s winning the phishing arm’s race?
4 Comparing performance of defenders
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Rock-phish attacks are different!
‘Rock-phish’ gang operate different to ‘ordinary’ phishing sites
1 Purchase several innocuous-sounding domains (e.g.,lof80.info)
2 Send out phishing email with URL
http://www.volksbank.de.netw.oid3614061.lof80.info/vr
3 Gang-hosted DNS server resolves domain to IP address ofone of several compromised machines
4 Compromised machines run a proxy to a back-end server5 Server loaded with many fake websites (around 20), all of
which can be accessed from any domain or compromisedmachine
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Rock-phish attacks (cont’d.)
Rock-phish strategy is more resilient to failure
Dynamic pool of domains maps to another pool of IP addresses
Also increase confusion by splitting the attack componentsover disjoint authorities
Registrars see non-bank domainsCompromised machine owners don’t see bank webpages
Wildcard DNS confuses phishing-report collators
18 680 PhishTank reports during 8 week sample (52.6% of allreports)Reduces to 421 unique domains
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
‘Fast-flux’ phishing domains
Rock-phish gang’s strategy is evolving fast
In a fast-flux variant, domains resolve to a set of 5 IPaddresses for a short time, then abandon them for another 5
Burn through 400 IP addresses per week, but the upside (forthe attacker) is that machine take-down becomes impractical
Fast-flux strategy demonstrates just how cheap compromisedmachines are
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Rock-phish site activity per day
10
20
30
40
50
60
70
Mar Apr
Rock domains operationalRock IPs operational
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
New and removed rock-phish IPs per day
0
5
10
15
Mar Apr
Rock IPs addedRock IPs removed
Correlation coefficient r: 0.740Synchronized =⇒ automated replenishment
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
New and removed rock-phish domains per day
0
5
10
15
20
25
30
35
Mar Apr
Rock domains addedRock domains removed
Correlation coefficient r: 0.340Unsynchronized =⇒ manual replenishment
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Rock-phish domain and IP removal per day
0
5
10
15
20
25
30
35
Mar Apr
Rock domains removedRock IPs removed
Correlation coefficient r: 0.142Unsynchronized =⇒ uncoordinated response
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Outline
1 The mechanics of phishing
2 Rock-phish attacks
3 Who’s winning the phishing arm’s race?
4 Comparing performance of defenders
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Phishing-site lifetimes
Lifetime (hours)Sites Mean Median
Non-rock 1 695 61.69 19.52Rock domains 421 94.68 55.14Rock IPs 125 171.8 25.53Fast-flux domains 57 196.2 111.0Fast-flux IPs 4 287 138.6 18.01
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Histogram of phishing-site lifetimes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 MoreLifetime (days)
0%
10%
20%
30%
40%
50%Non−rock phishRock−phish domainsRock−phish IPsFast−flux domainsFast−flux IPs
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
And now for some curve fitting
1 5 50 5005e−0
45e
−03
5e−0
25e
−01
Site lifetime t (hours)
Prob
(Life
time>
t)
1 5 50 5005e−0
45e
−03
5e−0
25e
−01
Site lifetime t (hours)Pr
ob(L
ifetim
e>t)
1 5 50 5005e−0
45e
−03
5e−0
25e
−01
Site lifetime t (hours)
Prob
(Life
time>
t)
Lognormal Kolmogorov-Smirnovµ Std err. σ Std err. D p-value
Non-rock 3.011 0.03562 1.467 0.02518 0.03348 0.3781Rock domains 3.922 0.05966 1.224 0.04219 0.06289 0.4374Rock IPs 3.434 0.1689 1.888 0.1194 0.09078 0.6750
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
User response to phishing
Webalizer data
Web page usage statistics are sometimes set up by default in aworld-readable stateGives daily updates of which URLs are visitedWe can view how many times a ‘thank you’ page is visitedWe automatically checked all sites reported to PhishTank forthe Webalizer package, revealing over 700 sites
On-site text files
We retrieved around two dozen text files with completed userdetails from phishing sites200 of the 414 responses appeared legitimate
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
User responses to phishing sites over time
0 1 2 3 4 5
Days after phish reported
User
resp
onse
s
0
5
10
15
20
25
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Estimating the cost of phishing attacks
Having measured how many phishing sites exist, how longthey stick around, and how many people give away theirdetails, we can estimate the losses due to phishing
DISCLAIMER: Cost is the product of several fuzzy estimates1 1 438 banking phishing sites implies 9 347 p.a.2 61 hours on average implies 30 victims per site3 Gartner estimate cost of identity theft to be $572 per victim4 9 347 ∗ 30 = 280 410 victims ∗ $572 = $160.4m
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Estimating the cost of phishing attacks (cont’d.)
Estimate ignores rock-phish and fast-flux
Since rock-phish account for a large proportion of spam, weassume that they are at least as successful as ordinary phishingsitesOur final minimum cost estimate: $320m p.a.
Gartner estimates 3.5m people fall victim to identity theft at acost of $2Bn p.a.
Part of the disparity can be accounted for our conservativecounting of sitesThe difference can also be accounted for by other types ofidentity theft (theft of merchant databases, Trojan programsoperating keyloggers, etc.)
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Outline
1 The mechanics of phishing
2 Rock-phish attacks
3 Who’s winning the phishing arm’s race?
4 Comparing performance of defenders
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Breaking down site lifetimes
Phishing site lifetimes vary greatly, but can we make sense ofthe differences?
We have already established that the rock-phish gang are moreeffective than other attackersDo some banks perform better than others?Do some ISPs respond better than others?Does the timing of attacks make any difference?
Identifying exceptional performers (both good and bad) couldhelp encourage improved response times
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Number of phishing sites per bank
USBANKRBCCHASELLOYDSNATIONWIDE
POSTE_ITHALIFAX
HSBCFARGO
WACHOVIABOA
EBAY
PAYPAL
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Phishing-site lifetimes per bank (only banks >= 5 sites)
EGG
TCF
EGO
LDBO
ACI
TIBA
NKG
ERM
ANAM
ERIC
ANW
AMU
LLO
YDS
WAC
HOVI
AW
ESTU
NIO
NEB
AYNC
UADN
CUCH
ASE
PAYP
ALDE
SJAR
DINS
FARG
OHA
LIFA
XHS
BCPO
STE_
ITHA
WAI
IUSA
FCU
USBA
NKM
ILBA
NKST
GEO
RGE
BANK
OFQ
UEEN
SLAN
DNA
TIO
NWID
EAM
AZO
NFN
BSA
RBC
MO
NEYB
OO
KERS
BARC
LAYS
VISA
WES
TPAC
CAPI
TAL1
NATW
EST
FLAG
STAR
Life
time
(hou
rs)
0
50
100
150
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Take-down performance of free-website hosts
Some phishing attacks are hosted on free webspace
Overall, these sites are removed more quickly than siteshosted on compromised web servers
But significant variation remains
Sites Mean lifetime Median lifetime
yahoo.com 174 23.79 hours 6.88 hoursdoramail 155 32.78 hours 18.06 hourspochta.ru 1 253 33.79 hours 16.83 hoursalice.it 159 52.43 hours 18.83 hoursby.ru 254 53.11 hours 38.16 hours
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
‘Clued-up’ effect on free host & registrar take-down times0
200
400
600
.hk
Day reported
Site
lifet
ime
(hou
rs)
Mar Apr Jun Jul Aug
020
040
060
0
.cn
Day reported
Site
lifet
ime
(hou
rs)
May Jun Jul Aug0
200
400
600
alice.it
Day reported
Site
lifet
ime
(hou
rs)
May Jun Jul
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Do weekends adversely impact phishing site removal?
Mon Tue Wed Thu Fri Sat Sun
Hour
s
0
20
40
60
80
100
120 Non−rock−phish sitesRock−phish sites
Mon Tue Wed Thu Fri Sat Sun
Frac
tion
0.00
0.05
0.10
0.15
0.20
Phishing site lifetime by weekday (left) and number of reportedphishing sites by weekday (right)
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Discussion
Collusion dividend for rock-phish gang
Cooperation has strengthened the gang: pooling resources toswap between machines while impersonating many banks perdomainShould have attracted more attention from the banks, butperhaps sum-of-efforts nature of the cooperation enables banksto free-ride off each other’s vigilance
Countermeasures
Direct tactics like reducing the # of compromised machinesavailable or rate-limiting domain registration appears futileTransparency could help: publishing take-down performance bybank, ISP and country may pressure improvementsIncreasing awareness to targeted banks of rock-phish tacticsmay trigger cooperation
Tyler Moore Examining the Impact of Website Take-down on Phishing
The mechanics of phishingRock-phish attacks
Who’s winning the phishing arm’s race?Comparing performance of defenders
Conclusions
We have established that there is wide disparity in phishingsite lifetimes
Long-tailed distribution of lifetimes implies that a fewlong-lived sites are undermining the effectiveness of take-downcountermeasuresSome banks and ISPs are doing better than othersDisparity also suggests there is room for improvement throughbetter monitoring
We have also seen that attackers innovate: rock-phish sitesoutlive ordinary phishing sites through clever adaptations instrategy
For more, see http://www.cl.cam.ac.uk/~twm29/ andhttp://www.lightbluetouchpaper.org/
Tyler Moore Examining the Impact of Website Take-down on Phishing